V3 - install Rancher using helm - TLS external

We manage to avail required hardware resources for MOSIP installation, however our new installation is encountering errors caused by Python 2.7 deprecation. To avoid dealing with this in the future, we are now trying to install MOSIP production deployment V3.

we are having difficulties in installing Rancher using helm on the rke cluster using the configuration option TLS=external.

Everything looks to be working fine, but accessing the domain produces 502 gateway error.

We are doing this on premise and using private IP as the domain:

Here is the command we use to install:

helm install rancher rancher-latest/rancher
–namespace cattle-system
–set hostname=10.0.0.5
–set replicas=2
–set bootstrapPassword=admin
–set tls=external

the IP address 10.0.0.5 points to the nginx proxy server node, is this correct?
A self signed certificate is also created on this node.

Would greatly appreciate any help provided.

Can you please provide us with some more details?

  • is the domain you are trying to access mapped to 10.0.0.5 properly?
  • is the required port on the firewall enabled?
  • Also send us the logs rancher application?
  • Is rancher accessible locally on the node where it has been deployed?

@rcsampang here in this case you will have to pass actual desired domain name for hostname value while installation , ip doesn’t work this way.
Eg. Rancher.xyz.net mapped to internal ip of the nginx.

Also is wireguard installed there or you are accessing machines inside an existing VPN ?

First of all, thank you for your assistance @syed.salman @ckm007

@syed.salman I think that is the main problem, I installed Rancher on a rke K8s cluster (1 master node=controlplane+etcd, 2 worker nodes), but the nodes are using private IP addresses including the separate VM for the Nginx reverse proxy. I have no access nor authority to map the actual domain to these nodes. So I used the private IP as the hostname but as @ckm007 said this is not possible, which is quite a major blockage for us. Is there a way around this problem?

Also, I am accessing these VMs through VPN, and for now there is no intention to make MOSIP accessible externally, is this possible?

Let us say I managed to have the approval to DNS map the domain [for example] mydomain.net for the internal ip

In the install.sh script for Nginx reverse proxy server (separate VM) the $rancher_nginx_ip should be the internal IP of the separate VM, correct? and this is the one DNS mapped to rancher.mydomain.net and iam.mydomain.net ?

And then I would need a wildcard SSL cert *.mydomain.net from LetsEncrypt and place this in the same VM (Nginx reverse proxy server ) , correct? Or I need to do this before I install Rancher on the rke cluster and/or run the install.sh script?

Once that is done, I should use mydomain.net in the Rancher helm installation –set hostname=rancher.mydomain.net

Rancher is installed in the rke master node not on the Nginx separate VM ?

hi @rcsampang
If you dont have authority to add actual DNS mapping, you can use local Private DNS server also . If that is not possible please update your /etc/hosts file for the local DNS settings. FYI: How to Setup Local DNS Using /etc/hosts File in Linux

For private access: By default MOSIP installation comes with private access only. We prefer to open the URL’s for public only when tested completely and ready.

For nginx installation in seperate nginx proxy server VM: please run the install.sh and give the necessary input as asked and get things going. Yes we need to map both the domain names to the internal ip of the proxy nginx server.

Nginx reverse proxy installation is indepenent of the rancher installation. You can install both independently. Only thing is you need to create the wildcard ssl certificate first in the nginx server VM and then only install nginx.

Yes Rancher is installed in a seperate rancher RKE cluster there but not on the nginx VM.

Hello @ckm007 ! Thank you for guiding me through this. It is a lot clearer right now. Although I still have a question, can I get a free wildcard SSL certificate from LetsEncrpyt if am only using /etc/hosts? how?

Hi @rcsampang to get free letsencrypt wildcard certificate will have to complete achme challenge. For achme challenge will need atleast one global dns mapping.

Thanks. Then I really need the permission/assistance of our network/domain administrator.

@rcsampang Please explain your environment to us. We will see if we can take care of such requirements in future. Looks like you are deploying in a restricted environment. But we would like to know more about the restrictions and what is allowed for you.

@gsasikumar Hi!. We are installing on VM’s provisioned for us by a different department who owns the HPC machines. As of now, I can only access those VMs, that at least have Internet connections by default, and belongs to the same subnet. I have admin account on these VMs but if the VM crashed and becomes inaccessible, i wont’ be able to do anything except wait for the system/network administrator to fix it. I have no means to configure DNS, gateways, routers, firewalls, etc., I could only put up the request and wait for response and positive action. I can do basic DNS mapping through /etc/hosts and/or mDns.

I think the major hindrance for us in installing MOSIP in this environment is the requirement for a wildcard SSL certificate for a domain that is DNS mapped globally. But of course with the permission/assistance of the system/network administrator, we might be able to surpass it.

Actually I looked at nip.io, sslip.io, mylocal-ip.co, traefik.me, and other such services, but i couldn’t wrap my head around them. There is a potential for this type of service to be useful in our circumstance, but I haven’t any breakthrough nor insight yet on how I could make use of it.

It would be great if there would be a way to install MOSIP in this restricted environment, and i will be more than glad to test it.

Best regards,
Ramon

Is it absolutely necessary to set TLS as external?

Would MOSIP still function as intended if I use the option = Rancher generated certificate?

Can I still test and develop applications in the MOSIP platform without making use of the separate VM for nginx reverse proxy server and wireguard?

I know they are there to secure the platform and application but we only intend to use the platform primarily for internal use.

I can install Rancher on rke cluster using the Rancher generated certificate without needing a valid IP address, FQDN, and wildcard certificate.

Should I proceed with the rest of the installation? or not since this would only end up as a futile exercise?

@rcsampang Ok got the feedback. I have initiated some internal discussions to see what can be done here. so you need a way to handle DNS & SSL. Either a way to switch them off or autogenerate for test environments.

@gsasikumar Thank you so much for looking into this. Yes, having a way to “easily” deal with DNS & SSL for test environments would be very helpful. It would help facilitate readily available functioning MOSIP platform that can be used for developing and testing applications.